I rarely talk about JoinMarket, because it does many things differently than most privacy technologies. An exception to this is my article: CoinJoin vs TumbleBit. This post could be considered the follow-up on it however, reading that is not a prerequisite.
In that article I started slowly, I even explained how Bitcoin transactions work, how privacy technologies evolved and at the end I compared JoinMarket, TumbleBit and “CoinJoin as envisioned” with each other.
More importantly I personally achieved a breakthrough, as I wrote that article I realized, what I called at the time “CoinJoin as envisioned” would be superior to TumbleBit’s Classic Tumbler mode both in terms of speed and in costs. What followed may sound “too good to be true,” although it turned out to be true. I discovered Gregory Maxwell in 2013 already described the basic idea on how that can be achieved and I could not resist. I decided to drop my half ready TumbleBit integration in HiddenWallet and figure out how we can build “CoinJoin as envisioned.” In fact, this system, that I called Chaumian CoinJoin was so simple and elegant, that I even had time to take care of every other variable, mixing techniques always consider “out of their scope.” For example, one of this is: defending against network analysis. So ZeroLink was born. The best part was that it greatly outperformed my expectations on what I thought “CoinJoin as envisioned” can do in terms of anonymity set and speed of rounds.
For some context, here is a quick, incomplete, likely incorrect brain dump, that illustrates how privacy technologies are connected to each other:
CoinJoin In A Nutshell
Both ZeroLink’s mixing technique: Chaumian CoinJoin (CCJ) and JoinMarket (JM) are CoinJoin(CJ) based techniques. When multiple people join their inputs together into one transaction, that is a CJ transaction. Blockchain.info’s SharedCoin did exactly this, however, based on simple amount analysis, anyone can re-establish the links between transaction inputs and outputs. Therefore, the transaction outputs must have a common denomination, so nobody will be able to tell which input is intended to fund which output.
How this is achieved is the main difference between JM and CCJ.
Chaumian CoinJoin In a Nutshell
An obvious way to achieve this would be introducing multiple mixing rounds. We set a common denomination, let us say 1 BTC and if one participant has 8 BTC, he will participate in 8 rounds, while the other participant, who possesses 5 BTC will only participate in 5 rounds.
JoinMarket In A Nutshell
On the contrary, JoinMarket introduces a clever hack. It divides its participants to market makers and market takers. Market makers wait silently, until a market taker contacts them: “hey I want to make a transaction with 4.202 BTC, wanna make a CoinJoin with me?” So, market makers accept the offer and participate in the mix.
In the category of anonymity set, Chaumian CoinJoin is the obvious winner. As you may probably figured it out, in JoinMarket, the market taker must pay not only for the whole transaction, however, he must pay a small fee for every maker. If we assume an anonymity set of 100, which we are intending to set as the minimum anonymity set of our CCJ implementation, and the network fees as $1, then in JM the taker would have to pay
100*$1 + maker fees, which is not feasible.
While I argued Chaumian CoinJoin’s superiority in anonymity set, because of JoinMarket’s costs, CCJ is not a clear winner in terms of costs. In CCJ, the costs depend on how many coins a user wants to mix, while in JM, it is a one-time thing.
What happens if we introduce the anonymity set to the graph?
Because market makers are always ready to do transactions, JoinMarket is a clear winner in terms of speed. On the contrary in Chaumian CoinJoin, it is possible, and at the beginning it is very likely that one must wait for a week for the mix to reach 100 peers, so the round can start.
The speed of a round can be optimized to near instant in both protocols, so that is not an issue.
Strength of Privacy
The strength of privacy is a tricky question in both JoinMarket and Chaumian CoinJoin. In JM, because the market makers make the same transactions over and over again, it is fairly easy to figure out who was the taker by looking at transaction chains, so at best it achieves plausible deniability, rather than unlinkability. While in CCJ round based denominations bring a whole other set of issues, which is the very reason why ZeroLink was created. In theory it could provide perfect unlinkability, although I am afraid that the multiple implementations will ruin this somehow, for example with HTTP fingerprinting, and it will take some time to bring everyone to conform to every rule. On the other hand, the more implementations we have the more liquidity we will achieve. The higher the liquidity, the faster the rounds and higher the anonymity sets are. So, in the end many implementations may very well result in better privacy overall.
It is not over yet. JoinMarket has a tumbler mode, too. Without going into the details, the main difference between the mode I discussed and the tumbler mode is that, the tumbler mode is slower, it runs from half a day to two days, and it is more expensive. However, the deanonymization attack, discussed above, for various reasons, does not work on it. Unfortunately, it still works with small anonymity sets.
Bonus: Add Confidential Transactions
Confidential Transactions (CT) is three to ten years down the road from getting into Bitcoin, so I will just very briefly touch the subject, however both of these technologies would gain a lot from it. In a nutshell, CT masks the amounts of the transaction outputs, which in JoinMarket, would make it harder for Blockchain analysis to distinguish between takers and makers and in Chaumian CoinJoin, it would eliminate the need for multiple rounds. Basically, all the complexity, both technologies needed to introduce all comes down to the notion that transaction amounts must be hidden somehow. CT is the ultimate solution for this problem.
It is surprisingly hard to compare these two technologies, despite the fact that they have the same roots. In general, ZeroLink provides stronger anonymity, while JoinMarket is faster. Simplistic statements like this are bleeding from many wounds though, so do not dare to highlight them.
The last thing must be done, before ZeroLink’s public testing can start is merging Matthew’s PR about optimizing GUI responses. In the meantime, I am trying to create some content like this, so raise awareness of this project, work on Jonas Schnelli’s Bitcoin Core full block SPV PR, thus in the future I can possibly replace my buggy back end of HiddenWallet with it.
Support is always welcome.